Vulnerabilities > CVE-2009-2334 - Improper Authentication vulnerability in Wordpress and Wordpress MU
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Authentication Abuse An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Utilizing REST's Trust in the System Resource to Register Man in the Middle This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
- Man in the Middle Attack This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Exploit-Db
| description | WordPress Privileges Unchecked in admin.php and Multiple Information. CVE-2009-2334. Webapps exploit for php platform |
| file | exploits/php/webapps/9110.txt |
| id | EDB-ID:9110 |
| last seen | 2016-02-01 |
| modified | 2009-07-10 |
| platform | php |
| port | |
| published | 2009-07-10 |
| reporter | Core Security |
| source | https://www.exploit-db.com/download/9110/ |
| title | WordPress - Privileges Unchecked in admin.php and Multiple Information |
| type | webapps |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2009-7729.NASL description - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> - 2.8-1 - updated to 2.8 - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.7.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> - 2.7.1-1 - updated to 2.7.1 - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> - 2.6.5-2 - updated to 2.6.5 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39859 published 2009-07-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39859 title Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-7729. # include("compat.inc"); if (description) { script_id(39859); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"); script_bugtraq_id(35584); script_xref(name:"FEDORA", value:"2009-7729"); script_name(english:"Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> - 2.8-1 - updated to 2.8 - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.7.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> - 2.7.1-1 - updated to 2.7.1 - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> - 2.6.5-2 - updated to 2.6.5 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=510745" ); script_set_attribute( attribute:"see_also", value:"https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026605.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e8bdf78e" ); script_set_attribute( attribute:"solution", value:"Update the affected wordpress package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"wordpress-2.8.1-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wordpress"); }NASL family Fedora Local Security Checks NASL id FEDORA_2009-7701.NASL description - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> - 2.8-1 - updated to 2.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39856 published 2009-07-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39856 title Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-7701. # include("compat.inc"); if (description) { script_id(39856); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"); script_bugtraq_id(35584); script_xref(name:"FEDORA", value:"2009-7701"); script_name(english:"Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> - 2.8-1 - updated to 2.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=510745" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026561.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2ce20061" ); script_set_attribute( attribute:"solution", value:"Update the affected wordpress package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"wordpress-2.8.1-1.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wordpress"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1871.NASL description Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing attacks. - CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. - CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. - CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. - CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. - CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. - CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. - CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. - CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. - CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. - CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. last seen 2020-06-01 modified 2020-06-02 plugin id 44736 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44736 title Debian DSA-1871-1 : wordpress - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1871. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44736); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2008-1502", "CVE-2008-4106", "CVE-2008-4769", "CVE-2008-4796", "CVE-2008-5113", "CVE-2008-6762", "CVE-2008-6767", "CVE-2009-2334", "CVE-2009-2851", "CVE-2009-2853", "CVE-2009-2854"); script_bugtraq_id(28599, 31068, 31887, 35584, 35935); script_xref(name:"DSA", value:"1871"); script_name(english:"Debian DSA-1871-1 : wordpress - several vulnerabilities "); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing attacks. - CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. - CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. - CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. - CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. - CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. - CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. - CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. - CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. - CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. - CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531736" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536724" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504243" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500115" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504234" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-6762" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-6767" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-2334" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-2854" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-2851" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-2853" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-1502" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4106" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4769" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4796" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5113" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1871" ); script_set_attribute( attribute:"solution", value: "Upgrade the wordpress packages. For the oldstable distribution (etch), these problems have been fixed in version 2.0.10-1etch4. For the stable distribution (lenny), these problems have been fixed in version 2.5.1-11+lenny1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Moodle <= 1.8.4 RCE"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(20, 22, 59, 79, 94, 264, 287, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/25"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"wordpress", reference:"2.0.10-1etch4")) flag++; if (deb_check(release:"5.0", prefix:"wordpress", reference:"2.5.1-11+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2009-8538.NASL description Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40601 published 2009-08-18 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40601 title Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-8538. # include("compat.inc"); if (description) { script_id(40601); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"); script_bugtraq_id(34075, 35581, 35584); script_xref(name:"FEDORA", value:"2009-8538"); script_name(english:"Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://wordpress.org/development/2009/08/2-8-4-security-release/ script_set_attribute( attribute:"see_also", value:"https://wordpress.org/news/2009/08/2-8-4-security-release/" ); # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3ab4dc04" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=510745" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027878.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?22ed89ca" ); script_set_attribute( attribute:"solution", value:"Update the affected wordpress-mu package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wordpress-mu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"wordpress-mu-2.8.4a-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wordpress-mu"); }NASL family Fedora Local Security Checks NASL id FEDORA_2009-8529.NASL description Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40599 published 2009-08-18 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40599 title Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-8529. # include("compat.inc"); if (description) { script_id(40599); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"); script_bugtraq_id(35581, 35584); script_xref(name:"FEDORA", value:"2009-8529"); script_name(english:"Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://wordpress.org/development/2009/08/2-8-4-security-release/ script_set_attribute( attribute:"see_also", value:"https://wordpress.org/news/2009/08/2-8-4-security-release/" ); # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3ab4dc04" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=510745" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027867.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d10c5281" ); script_set_attribute( attribute:"solution", value:"Update the affected wordpress-mu package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wordpress-mu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"wordpress-mu-2.8.4a-1.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wordpress-mu"); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/79033/CORE-2009-0515.txt |
| id | PACKETSTORM:79033 |
| last seen | 2016-12-05 |
| published | 2009-07-08 |
| reporter | Core Security Technologies |
| source | https://packetstormsecurity.com/files/79033/Core-Security-Technologies-Advisory-2009.0515.html |
| title | Core Security Technologies Advisory 2009.0515 |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:14855 last seen 2017-11-19 modified 2009-07-10 published 2009-07-10 reporter Root source https://www.seebug.org/vuldb/ssvid-14855 title WordPress Privileges Unchecked in admin.php and Multiple Information bulletinFamily exploit description BUGTRAQ ID: 35584 CVE(CAN) ID: CVE-2009-2334 WordPress是一款免费的论坛Blog系统。 WordPress对使用page参数的插件配置PHP模块缺少权限检查,如果非特权用户在请求中用admin.php替换了options- general.php或plugins.php,就可以非授权查看插件配置页面的内容,或修改某些插件选项并注入JavaScript代码。 WordPress WordPress 2.8 WordPress WordPress MU 2.7.1 WordPress --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://wordpress.org/ id SSV:11788 last seen 2017-11-19 modified 2009-07-10 published 2009-07-10 reporter Root source https://www.seebug.org/vuldb/ssvid-11788 title WordPress wp-admin/admin.php模块错误权限检查漏洞 bulletinFamily exploit description No description provided by source. id SSV:11777 last seen 2017-11-19 modified 2009-07-09 published 2009-07-09 reporter Root source https://www.seebug.org/vuldb/ssvid-11777 title WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures
References
- http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
- http://securitytracker.com/id?1022528
- http://wordpress.org/development/2009/07/wordpress-2-8-1/
- http://www.debian.org/security/2009/dsa-1871
- http://www.exploit-db.com/exploits/9110
- http://www.osvdb.org/55712
- http://www.osvdb.org/55715
- http://www.securityfocus.com/archive/1/504795/100/0/threaded
- http://www.securityfocus.com/bid/35584
- http://www.vupen.com/english/advisories/2009/1833
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html